Phishfarm: a Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists
Total Page:16
File Type:pdf, Size:1020Kb
PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists Adam Oest˚, Yeganeh Safaei˚, Adam Doupe´˚, Gail-Joon Ahn˚x, Brad Wardman:, Kevin Tyers: ˚Arizona State University, x Samsung Research, :PayPal, Inc. faoest, ysafaeis, doupe, [email protected], fbwardman, [email protected] Abstract—Phishing attacks have reached record volumes in lucrative data, phishers are engaged in a tireless cat-and- recent years. Simultaneously, modern phishing websites are grow- mouse game with the ecosystem and seek to stay a step ahead ing in sophistication by employing diverse cloaking techniques of mitigation efforts to maximize the effectiveness of their to avoid detection by security infrastructure. In this paper, we present PhishFarm: a scalable framework for methodically testing attacks. Although new phishing attack vectors are emerging the resilience of anti-phishing entities and browser blacklists to (e.g. via social media as a distribution channel [5]), malicious attackers’ evasion efforts. We use PhishFarm to deploy 2,380 actors still primarily deploy “classic” phishing websites [2]. live phishing sites (on new, unique, and previously-unseen .com These malicious sites are ultimately accessed by victim users domains) each using one of six different HTTP request filters who are tricked into revealing sensitive information. based on real phishing kits. We reported subsets of these sites to 10 distinct anti-phishing entities and measured both the Today’s major web browsers, both on desktop and mobile occurrence and timeliness of native blacklisting in major web platforms, natively incorporate anti-phishing blacklists and browsers to gauge the effectiveness of protection ultimately display prominent warnings when a user attempts to visit a extended to victim users and organizations. Our experiments known malicious site. Due to their ubiquity, blacklists are revealed shortcomings in current infrastructure, which allows a user’s main and at times only technical line of defense some phishing sites to go unnoticed by the security community while remaining accessible to victims. We found that simple against phishing. Unfortunately, blacklists suffer from a key cloaking techniques representative of real-world attacks— in- weakness: they are inherently reactive [6]. Thus, a mali- cluding those based on geolocation, device type, or JavaScript— cious website will generally not be blocked until its nature were effective in reducing the likelihood of blacklisting by over is verified by the blacklist operator. Phishing sites actively 55% on average. We also discovered that blacklisting did not exploit this weakness by leveraging cloaking techniques [7] to function as intended in popular mobile browsers (Chrome, Safari, and Firefox), which left users of these browsers particularly avoid or delay detection by blacklist crawlers. Cloaking has vulnerable to phishing attacks. Following disclosure of our only recently been scrutinized in the context of phishing [8]; findings, anti-phishing entities are now better able to detect and to date, there have been no formal studies of the impact mitigate several cloaking techniques (including those that target of cloaking on blacklisting effectiveness (despite numerous mobile users), and blacklisting has also become more consistent empirical analyses of blacklists in general). This shortcoming between desktop and mobile platforms— but work remains to be done by anti-phishing entities to ensure users are adequately is important to address, as cybercriminals could potentially be protected. Our PhishFarm framework is designed for continuous causing ongoing damage without the ecosystem’s knowledge. monitoring of the ecosystem and can be extended to test future In this paper, we carry out a carefully-controlled experiment state-of-the-art evasion techniques used by malicious websites. to evaluate how 10 different anti-phishing entities respond to reports of phishing sites that employ cloaking techniques I. INTRODUCTION representative of real-world attacks. We measure how this cloaking impacts the effectiveness (i.e. site coverage and Phishing has maintained record-shattering levels of volume timeliness) of native blacklisting across major desktop and in recent years [1] and continues to be a major threat to today’s mobile browsers. We performed preliminary tests in mid-2017, Internet users. In 2018, as many as 113,000 unique monthly disclosed our findings to key entities (including Google Safe phishing attacks were reported to the APWG [2]. Beyond dam- Browsing, Microsoft, browser vendors, and the APWG), and aging well-known brands and compromising victims’ identi- conducted a full-scale retest in mid-2018. Uniquely and unlike ties, financials, and accounts, cybercriminals annually inflict prior work, we created our own (innocuous) PayPal-branded millions of dollars of indirect damage due to the necessity phishing websites (with permission) to minimize confounding of an expansive anti-abuse ecosystem which serves to protect effects and allow for an unprecedented degree of control. the targeted companies and consumers [3]. With an ever- Our work reveals several shortcomings within the anti- increasing number of Internet users and services— in particu- phishing ecosystem and underscores the importance of robust, lar on mobile devices [4]— the feasibility of social engineering ever-evolving anti-phishing defenses with good data sharing. on a large scale is also increasing. Given the potential for Through our experiments, we found that cloaking can prevent browser blacklists from adequately protecting users by signif- icantly decreasing the likelihood that a phishing site will be phisher, who will attempt to fraudulently use it for monetary blacklisted, or substantially delaying blacklisting, in particular gain either directly or indirectly [14]. when geolocation- or device-based request filtering techniques Phishing attacks are ever-evolving in response to ecosystem are applied. Moreover, we identified a gaping hole in the standards and may include innovative components that seek protection of top mobile web browsers: shockingly, mobile to circumvent existing mitigations. A current trend (mimick- Chrome, Safari, and Firefox failed to show any blacklist ing the wider web) is the adoption of HTTPS by phishing warnings between mid-2017 and late 2018 despite the presence sites, which helps them avoid negative security indicators in of security settings that implied blacklist protection. As a browsers and may give visitors a false sense of security [15], result of our disclosures, users of the aforementioned mobile [16]. At the end of 2017, over 31% of all phishing sites browsers now receive comparable protection to desktop users, reported to the APWG used HTTPS, up from less than 5% and anti-phishing entities now better protect against some of a year prior [2]. Another recent trend is the adoption of the cloaking techniques we tested. We propose a number of redirection links, which allows attackers to distribute a link additional improvements which could further strengthen the that differs from the actual phishing landing page. Redirection ecosystem, and we will freely release the PhishFarm frame- chains commonly consist of multiple hops [17], [18], each work1 to interested researchers and security organizations potentially leveraging a different URL shortening service or for continued testing of anti-phishing systems and potential open redirection vulnerability [19]. Notably, redirection allows adaptation for measuring variables beyond just cloaking. Thus, the number of unique phishing links being distributed to grow the contributions of this work are as follows: well beyond the number of unique phishing sites, and such ‚ A controlled empirical study of the effects of server-side links might thus better slip past spam filters or volume-based request filtering on blacklisting coverage and timeliness phishing detection [20]. Furthermore, redirection through well- in modern desktop and mobile browsers. known services such as bit.ly may better fool victims [5], ‚ A reusable, automated, scalable, and extensible frame- though it also allows the intermediaries to enact mitigations. work for carrying out our experimental design. Ultimately, phishers cleverly attempt to circumvent existing ‚ Identification of actionable real-world limitations in the controls in an effort to maximize the effectiveness of their current anti-phishing ecosystem. attacks. The anti-phishing community should seek to predict ‚ Enhancements to blacklisting infrastructure after disclo- such actions and develop new defenses while ensuring that sure to anti-phishing entities, including phishing protec- existing controls remain resilient. tion in mobile versions of Chrome, Safari, and Firefox. II. BACKGROUND B. Phishing Kits Phishing is a type of social engineering attack that seeks A phishing kit is a unified collection of tools used to to trick victims into disclosing sensitive information, often via deploy a phishing site on a web server [21]. Kits are generally a fraudulent website which impersonates a real organization. designed to be easy to deploy and configure; when combined Attackers (phishers) then use the stolen data for their own with mass-distribution tools [9], they greatly lower the barrier monetary gain [9], [10], [11]. Cybercriminals are vehement to entry and enable phishing on a large scale [22]. They are in their attacks and the scale of credential theft cannot be part of the cybercrime-as-a-service